From ba0c279de41838da37af61db30d55d0f74dbffc9 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Fri, 2 Mar 2018 14:14:44 -0800
Subject: [PATCH] Ensure taking a bugreport generates no denials.

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5ac7eca95f3b21034174a495a6760e47)
---
 private/dumpstate.te         | 7 +++++++
 private/installd.te          | 4 ++++
 private/storaged.te          | 3 +++
 vendor/hal_camera_default.te | 4 ++++
 4 files changed, 18 insertions(+)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 8b72457e3..2c2a62f53 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -38,3 +38,10 @@ get_prop(dumpstate, boottime_prop)
 allow dumpstate {
   statsd
 }:process signal;
+
+# For collecting bugreports.
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+dontaudit dumpstate perfprofd:binder call;
+dontaudit dumpstate update_engine:binder call;
diff --git a/private/installd.te b/private/installd.te
index f74843dd1..055371631 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -16,3 +16,7 @@ domain_auto_trans(installd, idmap_exec, idmap)
 
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
+
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
diff --git a/private/storaged.te b/private/storaged.te
index f5b709245..8ad872f61 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -51,6 +51,9 @@ allow storaged package_native_service:service_manager find;
 # running as root. See b/35323867 #3.
 dontaudit storaged self:global_capability_class_set dac_override;
 
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
+
 ###
 ### neverallow
 ###
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 239e5c19b..5bc4a6191 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -5,3 +5,7 @@ type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
 
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+
+# For collecting bugreports.
+allow hal_camera_default dumpstate:fd use;
+allow hal_camera_default dumpstate:fifo_file write;